Locky ransomware returns with new tricks up its sleeve

Locky ransomware is back, again, delivered with the help of new tricks to fool users and anti-malware defenses.

Massive spam campaign

Delivered through one of the largest spam campaigns in H2 2017 – as many as 23 million sent messages per day – the newest variant adds the .lukitus extension to the encrypted files.

“Once all the victim’s files have been encrypted the attackers leave decryption instructions by changing the desktop background to an image with instructions as well as a HTM file on the desktop aptly named Lukitus[dot]htm,” AppRiver researchers explained.

The malware arrives in inboxes attached to emails with vague subject lines like “please print”, “documents”, “scans”, “images”, and so on, And, unfortunately for those who get infected, there are no publicly shared methods to reverse this Locky strain.

The crooks behind this malware campaign are asking 0.5 Bitcoin to deliver the decryption key.

“However, when I tried these same links in Google Chrome, they displayed a fake notification stating: ‘The HoeflerText font was not found.’ These notifications also had an ‘update’ button. When I clicked it, I received a JavaScript file named Win.JSFontlib09.js. That JavaScript file is designed to download and install Locky ransomware.”

The same trick works in Firefox:

Booby-trapped Word documents

Finally, Malwarebytes researchers have discovered another campaign seemingly delivering the same Locky variant via booby-trapped Word documents, and using a sandbox-bypass trick previously spotted being used to get the Dridex Trojan onto target machines.

“Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily, the code executes as soon as the user clicks the ‘Enable Content’ button. For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload,” the researchers noted.

“This particular Locky campaign no longer simply triggers by running the macro itself but waits until the fake Word document is closed by the user before it starts to invoke a set of commands. In their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realize there is nothing to be seen.”